Certificate Key Lengths: Bigger is Better

Share this:

As previously discussed, Microsoft issued a security advisory announcing they will block keys that are less than 1024 bits long. This feature will appear in an update for supported versions of Microsoft Windows (not affecting Windows 8 or Windows Server 2012; the functionality is already there) and, of course, you have to upgrade to this version for this feature to activate.

What is the impact to you? Possibly nothing. Even 1024-bit keys are not recommended anymore, especially over larger 2048-bit keys. In fact, 1024-bit keys currently cannot be signed with end dates greater than December 31, 2013, for publicly trusted certificates. As a result, 1024-bit keys are also going the way of the dodo, albeit a couple of years behind.

However, if you do have keys sizes smaller than 1024 bits in your environment, they will not be recognized on Windows machines with this update applied, potentially breaking an application or causing an outage. And even if you don’t apply the update on your application server for example, that doesn’t mean you won’t suffer — browsers who apply the patch will not be allowed to access sites with small key sizes, effectively breaking your site anyways.

Microsoft recommends four methods of discovering small RSA key sizes in your environment:

Check certificates and certification paths manually

Use CAPI2 logging

Check certificate templates

Enable logging on computers that have the update installed

Here’s another idea: use an automated certificate discovery tool to scan your hosts/ports and CAPI stores and build an inventory upon which you can then set policy alerts when key sizes don’t meet your policy.

Entrust senior product manager Scott Shetler has worked in various areas of software management for 16 years. He leverages his background in product and service management at Entrust to manage the Certificate Services family of products, which have grown more than 30 percent under his tenure. He gained vast experience in software as a service (Saas) and product management while at solution providers Necho Systems in Toronto and Workstream Inc in Ottawa.

IdentityOn Blog

Entrust has been at the forefront of the identity-based security market for nearly two decades. Our identity-based security solutions secure governments, enterprises, and financial institutions in more than 5,000 organizations spanning 85 countries.